7 Replies - 1147 Views - Last Post: 26 June 2013 - 05:46 AM

Asking for help vulnerability

Posted 24 June 2013 - 06:27 AM

I've signed up for a bunch of forums and I was wondering. This may not be specific to the asp.net (it might be since it is server-side stuff) and it is a general programming question overall, but my question is this.

What is a good guideline to reserve myself from posting specific code on a forum? Recently, what I've been doing is making small test applications where I could make functions work and then try to incorporate it in the real program, but I've also had an issue where after trying to incorporating it to the program with purpose, it just doesn't work.

Not posting a username and password is obvious, but if a person had access to the source code (and say I posted it), wouldn't that make me a lot more vulnerable to hackers with ill intentions?

Re: Asking for help vulnerability

Re: Asking for help vulnerability

Posted 24 June 2013 - 07:43 AM

Personally before I even go and ask for help on a forum, because I don't want to waste people's times, I do as you bring up. I write a test scenario.

Really what I try to do is recreate the problem in new code. If I can't recreate it, I continue adding on more and more until I can... once it appears, it's probably the last thing I added where the problem is occurring.

Of course if you never get there, well... you're kinda screwed. I would of course try to consult with someone who does have access to the code you're dealing with. Like a work mate. If you're the ONLY coder though... ouch, that sucks.

Really then all your left with is describing it to the best of your ability to the community. Hopefully, with luck, someone will hear a detail and be like "oh, I've seen that before".

This all of course is under the idea that you're not allowed to share the source code due to contract or something like that.

If you aren't bound by contract, and YOU have full control over the decisions to be made with your code... welp. Show us the offending code.

This isn't going to open you up to any weird vulnerabilities. Or what vulnerabilities it opens you to are minor.

Actually it could help by us pointing out vulnerabilities in your code so you can fix them.

Furthermore you don't have to share the entire project! Just the offending code. As long as you describe your problem well enough and show us that bit of code giving you the problem, most should be able to help it.

Some people like to include zip files of their projects and ask people to run it to "see the problem". Yeah... no... I, and a lot of people like me, won't do that. That's opening yourself up to attack. For me that is, I don't know what your program is, and I'm not going to dig through ALL your code to make sure it doesn't contain malicious code.

Re: Asking for help vulnerability

Personally before I even go and ask for help on a forum, because I don't want to waste people's times, I do as you bring up. I write a test scenario.

Really what I try to do is recreate the problem in new code. If I can't recreate it, I continue adding on more and more until I can... once it appears, it's probably the last thing I added where the problem is occurring.

Second this. The first trick for debugging a problem is to find the spot where the error become manifest, and then track back from there: what values are wrong, and how did they get that way?

If this doesn't get you there, it's probably something you don't understand about the language, so you figure out which language construct or library call isn't doing what you expect, and you try to reproduce the behavior in a toy program. Now you have a small body of code which does something you don't expect - you can now ask a question about that.

Jim Blumberg has a nice phrase for this, he asks people to post "the smallest subset of your code which exhibits the error". The only problem with doing this is that the process of recreating the error often makes it obvious what you need to do to fix it, so you have no question to ask. This is not actually a problem, though.

Re: Asking for help vulnerability

As much as a lot of Bruce Schneier's older texts derides "security through obscurity", the general impression that I got from his later writings is that there is a place for "security through obscurity" like three agencies not revealing all their means and methods to catch the bad guys.

Re: Asking for help vulnerability

Posted 25 June 2013 - 07:01 AM

@op - look.. sure you may be making smaller projects that you plan on incorporating into a larger project, but the fundamental problem is if you are asking for help then I need to see the relevant code, right? I can solve some problems blind, or just throw out suggestions until I am blue in the face, but if you want a definitive spot I can point and howl at then I need to see the code. I have no idea of your skills from Horatio Alger, and just giving me vague, sketchy detailed, writings on what is going on will only carry the day so far.

If you are trying to squash two mud pies together, and it is not working, there could be a near infinite reasons why.. some more obvious than the other... compound that by how far you want the tendrils of one app to dig into the other... wheeew.. that's a mess of issues waiting to leap out and nip at your heels.

At the end of the day if you are asking for help on a debugging error then you need to show the error and relevant code (what ever that may mean) else you can accept the fact that folks will not be able to help you all the time. The other option is to become better at debugging and reserve questions online for conceptual and functionality discussions.

Re: Asking for help vulnerability

Posted 26 June 2013 - 05:46 AM

As an example of vague descriptions, see this thread in the C/C++ forum. Part of the reason the thread is going on for so long is because the OP was originally failing to give enough details of what he really is doing vs what he was describing as what he was doing.